[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]

To: Peter Marschall <peter.marschall@mayn.de>
Subject: Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]
From: Alejandra Moreno <alejandra.moreno@atrete.ch>
Date: Thu, 10 Jan 2002 09:59:32 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200201092012.g09KCdU02197@moth.mpn.gedos.de>
References: <5.1.0.14.2.20020109132530.049908c0@mailhost.atrete.ch> <5.1.0.14.2.20020109132530.049908c0@mailhost.atrete.ch>

Hi!
That's what I thought. Do you have any idea why these PGP clients need write permission throughout the whole tree, not just only the PGP Key branch?

Regards,
Alejandra

At 21:12 09.01.2002 +0100, you wrote:

Hi,

the interpretation is quite simple.
It goes from top to bottom and stops at the first match

On Wednesday 09 January 2002 13:28, you wrote:
> access to    dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
Anybody has write access to anything below o=PGP Keys,dc=atrete,dc=ch

> access to dn=".*,dc=atrete,dc=ch" by * write
Anybody has write access to anything below dc=atrete,dc=ch

> access to dn=".*,dc=ch" by * read
Anybody has read access to anything below dc=atrete,dc=ch
But remember: anything below dc=atrete,dc=ch is writable
because of the "stop at first match" rule.

> access to * by * write
Anybody has write access to anything else

IMHO the first line is not necessary, since it should be covered
by the second line.

Conclusion(s):
1 A very big part of your directory is writable by anybody
(including anonymous).
[This is very funny if you use your directory to publish
PGP keys, since anybody can publish faked PGP keys.]
2 If you only have entries below dc=atrete,dc=ch in your directory,
the only entry that is read-only is the entry dc=atrete,dc=ch.
3 If you have entries below dc=ch in your directory that are not below
cd=atrete,dc=ch, they are all read-only

Yours
Peter

--
Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@is-energy.de
97072 Würzburg      |   Tel:   0931/14721
PGP: D7 FF 20 FE E6 6B 31 74 D1 10 88 E0 3C FE 28 35

______________________________________________________________________
Alejandra Moreno Espinar
at rete ag

mailto:alejandra.moreno@atrete.ch, http://www.atrete.ch
snail mail: Oberdorfstrasse 2, P.O. Box 674, 8024 Zurich, Switzerland
voice: +41-1-266 55 55, direct: +41-1-266 55 91, fax: +41-1-266 55 88
_____________________________________________________________________

References:
- Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]
  - From: Alejandra Moreno <alejandra.moreno@atrete.ch>
- Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]
  - From: Peter Marschall <peter.marschall@mayn.de>

Prev by Date: Re: partial replication of entries/attributes
Next by Date: portingofopenldaptowin32+ldapsearch
Index(es):
- Chronological
- Thread